Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization
()
About this ebook
As a result of being at the top of the "most used" and "most hacked" lists, Microsoft has released a truly powerful suite of security tools for system administrators to deploy with Windows Server 2008. This book is the comprehensive guide needed by system administrators and security professionals to master seemingly overwhelming arsenal of new security tools including:
1. Network Access Protection, which gives administrators the power to isolate computers that don't comply with established security policies. The ability to enforce security requirements is a powerful means of protecting the network.
2. Enhanced solutions for intelligent rules and policies creation to increase control and protection over networking functions, allowing administrators to have a policy-driven network.
3. Protection of data to ensure it can only be accessed by users with the correct security context, and to make it available when hardware failures occur.
4. Protection against malicious software with User Account Control with a new authentication architecture.
5. Increased control over your user settings with Expanded Group Policy.
...to name just a handful of the new security features. In short, Windows Server 2008 contains by far the most powerful and complex suite of security tools ever released in a Microsoft Server product. Securing Windows Server 2008 provides system administrators and security professionals with the knowledge they need to harness this power.
- Describes new technologies and features in Windows Server 2008, such as improvements to networking and remote access features, centralized server role management, and an improved file system
- Outlines steps for installing only the necessary components and subsystems of Windows Server 2008 in your environment. No GUI needed
- Describes Windows Server 2008?s security innovations, such as Network Access Protection, Federated Rights Management, and Read-Only Domain Controller
- Includes coverage of monitoring, securing, and troubleshooting Windows Server 2008
- Covers Microsoft's Hyper-V virtualization technology, which is offered as an add-on to four of the eight versions of Windows Server 2008 and as a stand-alone product
Related to Securing Windows Server 2008
Related ebooks
The Real MCTS/MCITP Exam 70-640 Prep Kit: Independent and Complete Self-Paced Solutions Rating: 1 out of 5 stars1/5Citrix XenDesktop Implementation: A Practical Guide for IT Professionals Rating: 0 out of 5 stars0 ratingsThe Real MCTS SQL Server 2008 Exam 70-432 Prep Kit: Database Implementation and Maintenance Rating: 4 out of 5 stars4/5The Best Damn Windows Server 2008 Book Period Rating: 0 out of 5 stars0 ratingsMicrosoft Forefront Identity Manager 2010 R2 Handbook Rating: 0 out of 5 stars0 ratingsMicrosoft Forefront UAG 2010 Administrator's Handbook Rating: 0 out of 5 stars0 ratingsMCSA Windows 10 Study Guide: Exam 70-698 Rating: 0 out of 5 stars0 ratingsSQL Server 2008 Administration in Action Rating: 0 out of 5 stars0 ratingsHow to Cheat at IIS 7 Server Administration Rating: 0 out of 5 stars0 ratingsWebSphere Application Server 7.0 Administration Guide Rating: 0 out of 5 stars0 ratingsGetting Started with XenDesktop® 7.x Rating: 0 out of 5 stars0 ratingsThe Best Damn Exchange, SQL and IIS Book Period Rating: 0 out of 5 stars0 ratingsJuniper(r) Networks Secure Access SSL VPN Configuration Guide Rating: 5 out of 5 stars5/5Learning AirWatch Rating: 5 out of 5 stars5/5Least Privilege Security for Windows 7, Vista and XP Rating: 0 out of 5 stars0 ratingsThe Real MCTS SQL Server 2008 Exam 70-433 Prep Kit: Database Design Rating: 1 out of 5 stars1/5Microsoft DirectAccess Best Practices and Troubleshooting Rating: 5 out of 5 stars5/5Mastering System Center Configuration Manager Rating: 0 out of 5 stars0 ratingsVMware vSphere Design Essentials Rating: 0 out of 5 stars0 ratingsHybrid Cloud Management with Red Hat CloudForms Rating: 0 out of 5 stars0 ratingsHyper-V 2016 Best Practices Rating: 0 out of 5 stars0 ratingsMCA Microsoft Certified Associate Azure Network Engineer Study Guide: Exam AZ-700 Rating: 0 out of 5 stars0 ratingsWindows Server 2012 Hyper-V Cookbook Rating: 0 out of 5 stars0 ratingsWindows Server 2012 Hyper-V: Deploying Hyper-V Enterprise Server Virtualization Platform Rating: 0 out of 5 stars0 ratingsThe Real Citrix CCA Exam Preparation Kit: Prepare for XenApp 5.0 Rating: 2 out of 5 stars2/5Windows 2000 Active Directory Rating: 0 out of 5 stars0 ratingsWindows 8 A Step By Step Guide For Beginners: Discover the Secrets to Unleash the Power of Windows 8! Rating: 0 out of 5 stars0 ratingsGetting Started with Citrix XenApp 6.5 Rating: 0 out of 5 stars0 ratingsWindows 2000 Server System Administration Handbook Rating: 0 out of 5 stars0 ratings
Enterprise Applications For You
Excel : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Excel Programming: 1 Rating: 5 out of 5 stars5/53D Concrete Printing Technology: Construction and Building Applications Rating: 0 out of 5 stars0 ratingsCreating Online Courses with ChatGPT | A Step-by-Step Guide with Prompt Templates Rating: 4 out of 5 stars4/5Excel Formulas and Functions 2020: Excel Academy, #1 Rating: 4 out of 5 stars4/5Notion for Beginners: Notion for Work, Play, and Productivity Rating: 4 out of 5 stars4/5Access 2019 For Dummies Rating: 0 out of 5 stars0 ratingsExcel 2019 Bible Rating: 4 out of 5 stars4/5Enterprise AI For Dummies Rating: 3 out of 5 stars3/5QuickBooks 2023 All-in-One For Dummies Rating: 0 out of 5 stars0 ratings101 Ready-to-Use Excel Formulas Rating: 4 out of 5 stars4/5QuickBooks 2024 All-in-One For Dummies Rating: 0 out of 5 stars0 ratingsThe Ridiculously Simple Guide to Google Docs: A Practical Guide to Cloud-Based Word Processing Rating: 0 out of 5 stars0 ratingsExcel Tips and Tricks Rating: 0 out of 5 stars0 ratingsThe New Email Revolution: Save Time, Make Money, and Write Emails People Actually Want to Read! Rating: 5 out of 5 stars5/5Mastering QuickBooks 2020: The ultimate guide to bookkeeping and QuickBooks Online Rating: 0 out of 5 stars0 ratingsChatGPT Ultimate User Guide - How to Make Money Online Faster and More Precise Using AI Technology Rating: 0 out of 5 stars0 ratingsBitcoin For Dummies Rating: 4 out of 5 stars4/5Scrivener For Dummies Rating: 4 out of 5 stars4/550 Useful Excel Functions: Excel Essentials, #3 Rating: 5 out of 5 stars5/5Learn Windows PowerShell in a Month of Lunches Rating: 0 out of 5 stars0 ratingsExcel : The Complete Ultimate Comprehensive Step-By-Step Guide To Learn Excel Programming Rating: 0 out of 5 stars0 ratingsSystems Thinking: Managing Chaos and Complexity: A Platform for Designing Business Architecture Rating: 4 out of 5 stars4/5Create Income through Self-Publishing: An Author's Approach on Generating Wealth by Self-Publishing Rating: 5 out of 5 stars5/5
Reviews for Securing Windows Server 2008
0 ratings0 reviews
Book preview
Securing Windows Server 2008 - Aaron Tiensivu
Securing Windows Server 2008
Prevent Attacks from Outside and Inside Your Organization
Aaron Tiensivu
Copyright
© 2008 by Elsevier, Inc. All rights reserved.
Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively Makers
) of this book (the Work
) do not guarantee or warrant the results to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.
Syngress Media®, Syngress®, Career Advancement Through Skill Enhancement®,
Ask the Author UPDATE®,
and Hack Proofing®,
are registered trademarks of Elsevier, Inc. Syngress: The Definition of a Serious Security Library™,
Mission Critical™,
and The Only Way to Stop a Hacker is to Think Like One™
are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.
PUBLISHED BY
Syngress Publishing, Inc.
Elsevier, Inc.
30 Corporate Drive
Burlington, MA 01803
Securing Windows Server 2008
Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
Publisher: Andrew Williams Page Layout and Art: SPI
Copy Editor: Mike McGee Indexer: Odessa & Cie
Project Manager: Gary Byrne Cover Designer: Michael Kavish
For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; emailm.pedersen@elsevier.com
Brief Table of Contents
Copyright
Brief Table of Contents
Table of Contents
List of Figures
List of Tables
Contributing Authors
Chapter 1. Microsoft Windows Server 2008
Chapter 2. Microsoft Windows Server 2008
Chapter 3. Microsoft Windows Server 2008
Chapter 4. Microsoft Windows Server 2008
Chapter 5. Microsoft Windows Server 2008
Chapter 6. Microsoft Windows Server 2008
Chapter 7. Microsoft Windows Server 2008
Chapter 8. Configuring Windows Server Hyper-V and Virtual Machines
Chapter 9. Microsoft Windows Server 2008
Table of Contents
Copyright
Brief Table of Contents
Table of Contents
List of Figures
List of Tables
Contributing Authors
Chapter 1. Microsoft Windows Server 2008
Introduction
Server Manager
Using Server Manager to Implement Roles
Server Core
Using Server Core and Active Directory
Uses for Server Core
Active Directory Certificate Services
Configuring a Certificate Authority
Request a Certificate from a Web Server
Certificate Practice Statement
Key Recovery
Active Directory Domain Services
What Is New in the AD DS Installation?
Summary
Solutions Fast Track
Server Manager
Server Core
Active Directory Certificate Services
Active Directory Domain Services
Frequently Asked Questions
Chapter 2. Microsoft Windows Server 2008
Introduction
What Is PKI?
The Function of the PKI
Components of PKI
How PKI Works
Public Key Functionality
Digital Certificates
User Certificates
Machine Certificates
Application Certificates
Working with Certificate Services
Backing Up Certificate Services
Restoring Certificate Services
Assigning Roles
Enrollments
Revocation
Working with Templates
General Properties
Request Handling
Cryptography
Subject Name
Issuance Requirements
Security
Types of Templates
Creating a Custom Template
Securing Permissions
Versioning
Key Recovery Agent
Summary
Solutions Fast Track
What Is PKI?
Digital Certificates
Working with Certificate Services
Working with Templates
Creating a Custom Template
Frequently Asked Questions
Chapter 3. Microsoft Windows Server 2008
Introduction
Configuring Audit Policies
Logon Events
Directory Service Access
Fine-Grain Password and Account Lockout Policies
Read-Only Domain Controllers (RODCs)
Introduction to RODC
Configuring RODC
Removing an RODC
Digital Rights Management Service
Summary
Solutions Fast Track
Configuring Audit Policies
Fine-Grain Password and Account Lockout Policies
Read-Only Domain Controllers (RODCs)
Configuring Active Directory Rights Management Services
Frequently Asked Questions
Chapter 4. Microsoft Windows Server 2008
Introduction
Network Policy Server
Configuring Policies and Settings for NAP Enforcement Methods in NPS
Network Policy and Access Services Role
NTLMv2 and Kerberos Authentication
802.1x Wired and Wireless Access
WLAN Authentication Using 802.1x and 802.3
Configuring 802.1x Settings in Windows Server 2008
Configuring Wireless Access
Set Service Identifier (SSID)
Wi-Fi Protected Access (WPA)
Wi-Fi Protected Access 2 (WPA2)
Ad Hoc vs. Infrastructure Mode
Wireless Group Policy
Summary
Solutions Fast Track
Network Policy Server
Network Policy and Access Services Role
802.1x Wired and Wireless Access
Frequently Asked Questions
Chapter 5. Microsoft Windows Server 2008
Introduction
BitLocker
Trusted Platform Modules
Full Volume Encryption
Startup Process Integrity Verification
Recovery Mechanisms
Remote Administration
Secure Decommissioning
BitLocker Architecture
Keys Used for Volume Encryption
Hardware Upgrades on BitLocker Protected Systems
BitLocker Authentication Modes
When to Use BitLocker on a Windows 2008 Server
Support for Multifactor Authentication on Windows Server 2008
Enabling BitLocker
Installing BitLocker on Windows Server 2008
Turning on and Configuring BitLocker
Administration of BitLocker
Enabling Group Policy Settings for BitLocker and TPM Active Directory Backup
Recovering Data
Disabling BitLocker
Active Directory Rights Management Services
Managing Trust Policies
Configuring Policy Templates
Managing Your AD RMS Cluster
Reporting
Transport Security
Adding a New Security Certificate
Authentication
Authorization
URL Authorization
IP Authorization
Request Filtering
.NET Trust Levels
Summary
Solutions Fast Track
BitLocker
Active Directory Rights Management Services
Authorization
Frequently Asked Questions
Chapter 6. Microsoft Windows Server 2008
Introduction
Not Your Father's TCP/IP Stack
Introduction of IPv6 and Dual Stack
Configuring IPv6 Settings
Using the Network and Sharing Center
Using Network Map
Connect to a Network
Manage Network Connections
Managing Wired Connections
Managing Wireless Connections
Changing from a Private to a Public Network Location
Other Troubleshooting Methods
Summary
Solutions Fast Track
Not Your Father's TCP/IP Stack
The Network and Sharing Center
Network Map
Frequently Asked Questions
Chapter 7. Microsoft Windows Server 2008
Introduction
Server Core Features
Server Core Has Minimal Attack Vector Opportunities
Server Core Requires Less Software Maintenance
Server Core Uses Less Disk Space for Installation
Server Core Components
What Is There?
Which Roles Can Be Installed?
What Is Missing?
Server Core Best Practices
Installing Software
Changing Background Settings and More
Enabling remote cmd.exe with Terminal Services
Changing the Command Prompt
Administrating Server Core with RDP
Creating Batch Menus
Combining Server Core, Read-Only Domain Controller, and BitLocker
Server Core Administration
Installing Server Core
Configuring Server Core
Administrating Server Core
Remote Server Administration Tools (RSAT)
Winrm/winrs
Managing Server Core with Group Policy
PowerShell
Installing Active Directory Domain Services on Server Core
Summary
Solutions Fast Track
Server Core Features
Server Core Components
Server Core Best Practices
Server Core Administration
Frequently Asked Questions
Chapter 8. Configuring Windows Server Hyper-V and Virtual Machines
Introduction
Advancing Microsoft's Strategy for Virtualization
Understanding Virtualization
Understanding the Components of Hyper-V
Configuring Virtual Machines
Installing Hyper-V
Installing and Managing Hyper-V on Windows Server Core Installations
Virtual Networking
Virtualization Hardware Requirements
Virtual Hard Disks
Adding Virtual Machines
Installing Hyper-V and Creating Virtual Machines
Migrating from Physical to Virtual Machines
Planning a P2V Migration
Backing Up Virtual Machines
Backing Up a Virtual Hard Drive
Virtual Server Optimization
Summary
Solutions Fast Track
Configuring Virtual Machines
Migrating from Physical to Virtual Machines
Backing Up Virtual Machines
Virtual Server Optimization
Frequently Asked Questions
Chapter 9. Microsoft Windows Server 2008
Introduction
Terminal Services RemoteApp
Configuring TS RemoteApp
Terminal Services Gateway
Terminal Services Web Access
Configuring TS Remote Desktop Web Connection
Summary
Solutions Fast Track
Terminal Services RemoteApp
Terminal Services Gateway
Terminal Services Web Access
Frequently Asked Questions
List of Figures
Figure 1.1. Server Manager
Figure 1.2. Opening Server Manager
Figure 1.3. List of Server Roles
Figure 1.4. The Installation Summary Confirmation Screen
Figure 1.5. The Server Core Console
Figure 1.6. Setting an IP Address in Server Core
Figure 1.7. Installing Directory Services in Server Core
Figure 1.8. Setting an IP Address in Server Core
Figure 1.9. Using the dnscmd Utility
Figure 1.10. A Windows Server 2008 Certificate Field and Values
Figure 1.11. A Windows Server 2008 Certificate Field and Values
Figure 1.12. Certificates Snap-in
Figure 1.13. Before You Begin
Figure 1.14. Request Certificates
Figure 1.15. Certificate Installation Results
Figure 1.16. Welcome Screen of the CA's Web Site
Figure 2.1. Public / Private Key Data Exchange
Figure 2.2. Digital Signatures
Figure 2.3. A Windows Server 2008 Certificate
Figure 2.4. Certificate Authority Page
Figure 2.5. Items to Back Up
Figure 2.6. Completing the CA Backup Wizard
Figure 2.7. Certificate Authority page
Figure 2.8. Items to Restore
Figure 2.9. Completing the CA Restore Wizard
Figure 2.10. Certification Authority Restore Wizard
Figure 2.11. Extensions Tab of the CA Property Sheet
Figure 2.12. Certificate Templates Snap-in
Figure 2.13. General Tab of the New Template Property Sheet
Figure 2.14. Request Handling Tab of the New Template Property Sheet
Figure 2.15. Cryptography Tab
Figure 2.16. Subject Name Tab of the New Template Property Sheet
Figure 2.17. Issuance Requirements Tab of the New Template Property Sheet
Figure 2.18. Superseded Templates Tab of the New Template Property Sheet
Figure 2.19. Extensions Tab of the New Template Property Sheet
Figure 2.20. Security Tab of the New Template Property Sheet
Figure 2.21. Creating a Custom Template
Figure 2.22. Creating a Custom Template
Figure 2.23. Creating a Custom Template
Figure 2.24. Recovery Agents Tab of the CA Property Sheet
Figure 3.1. Auditing Policies
Figure 3.2. Auditing Configuration Options
Figure 3.3. The Properties Dialog
Figure 3.4. The Advanced Security Settings Dialog
Figure 3.5. The Auditing Entry Dialog
Figure 3.6. Bringing Up the Connections Settings Dialog
Figure 3.7. The Name: Text Box
Figure 3.8. Creating the New Object in ADSI Edit
Figure 3.9. Selecting the msDS-PasswordSettings Option
Figure 3.10. Entering the PSO Name
Figure 3.11. Configuring the Fine-grain Settings
Figure 3.12. The More Attributes Button
Figure 3.13. Associating Users and Global Security Groups
Figure 3.14. The ADSI Utility
Figure 3.15. Opening the Properties for the PSO
Figure 3.16. The Attribute Editor Tab
Figure 3.17. The Multi-valued Distinguished Name with Security Principal Editor Window
Figure 3.18. Confirming Installation Selections
Figure 3.19. The Summary Page
Figure 3.20. Setting Account Credentials
Figure 4.1. NPS and NAP Health Policy Overview
Figure 4.2. NPS Policy Configuration
Figure 4.3. Network Policy and Access Services Server Manager Interface
Figure 4.4. Choosing the NPS Role
Figure 4.5. Overview Screen on NPS
Figure 4.6. Components of 802.1x
Figure 4.7. 802.1x Settings on Wired Windows XP SP2 Client
Figure 4.8. New Vista Wired Network Policy Properties Security Tab
Figure 4.9. Advanced Settings for New Vista Wired Network Policy Properties
Figure 5.1. Startup Component Integrity Verifi cation Flowchart
Figure 5.2. Filter Driver Inserted into the File System Stack
Figure 5.3. Keys Used for Volume Encryption
Figure 5.4. Accessing a BitLocker-Enabled Disk That Is Secured with TPM + PIN
Figure 5.5. BitLocker Refuses to Confi gure the System Due to an Invalid Partition Scheme
Figure 5.6. Selecting the BitLocker Feature in Server Manager
Figure 5.7. Warning That a TPM Is Missing or Incompatible
Figure 5.8. The Server Is Ready to Turn on BitLocker
Figure 5.9. Saving the BitLocker Password
Figure 5.10. Error Enabling BitLocker
Figure 5.11. Enabling TPM-less Operation in the Local Group Policy
Figure 5.12. USB Startup Key Selection Screen
Figure 5.13. Schema Extension Output
Figure 5.14. AD RMS
Figure 5.15. The Exclude Application Dialog
Figure 5.16. The User Request Analysis Report
Figure 5.17. Server Certifi cates Module Confi guration
Figure 5.20. Internet Explorer Address Bar of a Site Using Extended Validation Certifi cate
Figure 5.18. Distinguished Name Properties Page
Figure 5.19. Cryptographic Service Provider Page
Figure 5.21. Add Site Binding Dialog
Figure 5.22. SSL Settings Module Confi guration
Figure 5.23. Authentication Module Confi guration
Figure 5.24. Edit Forms Authentication Settings Dialog
Figure 5.25. Add Allow Authorization Rule Dialog
Figure 5.26. Server-Side Version of Unauthorized Page Access Error Message
Figure 5.27. Add Allow Restriction Rule Dialog with Domain Restrictions Enabled
Figure 6.1. Server Manager on Windows Server 2008
Figure 6.2. The Network Connections Control Panel
Figure 6.3. Selecting a Connection
Figure 6.4. Local Area Connection Properties
Figure 6.5. IPv6 Properties
Figure 6.6. The Network and Sharing Center
Figure 6.7. Shares Available on a Computer Device
Figure 6.8. Connecting to a Network
Figure 6.9. Selecting a Type of Network Connection
Figure 6.10. Options for a VPN Connection
Figure 6.11. Entering the Address of Your Destination
Figure 6.12. Working with Network Hardware Settings
Figure 6.13. The Diagnose and Repair Link
Figure 6.14. Wired and Wireless Connections: Large Icon View
Figure 6.15. WPA2 Passphrase for an Ad Hoc Network Set Up in Windows Server 2008
Figure 6.16. Internet Connection Sharing with Ad Hoc Network Set Up
Figure 6.17. Changing the Network Type to Public
Figure 7.1. The Server Core Console
Figure 7.2. Counting the Number of Services on a Server Core Machine
Figure 7.3. Notepad on a Server Core Machine
Figure 7.4. Changing the Screensaver in Server Core
Figure 7.5. Installing Terminal Services on a Full Windows 2008 Installation
Figure 7.6. Remotely Connected to a Server Core Machine with TS RemoteApp Manager
Figure 7.7. Changing the Look of the Command Prompt
Figure 7.8. What's Displayed in a Batch File
Figure 7.9. Installation Options for Server Core
Figure 7.10. Configuring IP Addressing on Server Core
Figure 7.11. Configuring Windows Firewall on Server Core from a Regular Windows 2008 Server
Figure 7.12. Changing the Regional and Language Options
Figure 7.13. Changing the Regional and Language Options
Figure 7.14. A WINRM Error
Figure 7.15. A Simple Unattended File
Figure 7.16. The Active Directory Domain Services Installation Wizard
Figure 8.1. Viewing the Components of Hyper-V
Figure 8.2. Adding Hyper-V on the Specific Server Roles Page
Figure 8.3. New Virtual Hard Disk Wizard
Figure 8.4. Hyper-V Manager
Figure 8.5. Configuring a Virtual Processor
Figure 8.6. Volume Shadow Copy Service (VSS) Utility for Windows Server 2008
Figure 8.7. Configuring the VSS
Figure 8.8. System Center Operations Manager (SCOM) 2007
Figure 9.1. Windows 2008 Control Panel Option to Install Applications on Terminal Server
Figure 9.2. Installing Applications on Terminal Server
Figure 9.3. Terminal Server Application Wizard Transferring Control to Application
Figure 9.4. Windows 2008 System Tool
Figure 9.5. Remote Desktop Configuration
Figure 9.6. RDP Users Configuration
Figure 9.7. TS RemoteApp Manager
Figure 9.8. Choosing Applications for Remote Access
Figure 9.9. Configuration Applications for Remote Access
Figure 9.10. TS Gateway Server Deployment Scenario
Figure 9.11. TS Gateway Server Deployment Scenario
Figure 9.12. TS Web Access Configuration
Figure 9.13. Applications Through TS Web Access
Figure 9.14. RemoteApp Warning Message
Figure 9.15. ActiveX Error Message
Figure 9.16. Remote Desktop Configurations on TS Web Access
List of Tables
Table 1.1. Partial List of Additional Server Manager Features
Table 1.2. X.509 Certificate Data
Table 5.1. Overview of Windows Server 2008 BitLocker Group Policy Settings
Table 5.2. Attributes Associated with the msFVW-RecoveryInformation Objects
Table 5.3. Security Features Available for Windows Server 2008
Table 7.1. Available and Unavailable Roles and Features on Server Core
Table 7.2. msiexec Command-Line Parameters
Table 7.3. MMC Snap-ins and the Corresponding Firewall Rule Groups
Table 7.4. Command-Line Options for ocsetup.exe
Table 8.1. Key Combinations
Contributing Authors
Dale Liu (CISSP, IAM, IEM, MCSE—Security, MCT) is a senior systems analyst, consultant, and trainer for Computer Revolution Enterprises. He has performed system administration, design, security analysis, and consulting for companies around the world. He currently resides in Houston, TX.
Remco Wisselink (MCT, MCSE NT4, 2000 and 2003, MCSE+messaging 2000 and 2003, MCSE+security 2000 and 2003, CCA, CCEA, SCP, and Multiple Certifications on MCTS and MCTIP) is a consultant working for the company IT-to-IT in the Netherlands. Remco has more then 10 years of experience in IT business and has multiple specialties, including ISA, Citrix, Softgrid, Exchange, and Microsoft Operating Systems in general like Windows Server 2008. Remco has been involved in several major infrastructure and mail migrations. Besides acting as a Microsoft Certified Trainer, he's also well known as a speaker on technical events.
Chapter 1. Microsoft Windows Server 2008 - An Overview
Solutions in this chapter:
Server Manager
Server Core
Active Directory Certificate Services
Active Directory Domain Services
Summary
Solutions Fast Track
Frequently Asked Questions
Introduction
With the introduction of new revisions to Microsoft products—for example, Windows, Exchange, and Communications Server—we have seen a trend toward roles
within each product, as opposed to the various products being an all-in-one type of solution (as with Exchange 2007), or being additional features that work as a snap-in, such as DNS in Windows 2003.
With earlier versions of Windows Server 2000 or 2003, an Active Directory server was just that—an Active Directory server. What we are trying to say here is that it was more-or-less an all-or-nothing
deal when creating a domain controller in Windows 2003. Very little flexibility existed in the way a domain controller could be installed, with the exception of whether a domain controller would also be a global catalog server or flexible single master operation (FSMO) server.
The new roles in Windows Server 2008 provide a new way for you to determine how they are implemented, configured, and managed within an Active Directory domain or forest. The new roles (and the official Microsoft definitions) are as follows:
Read-only domain controller (RODC) This new type of domain controller, as its name implies, hosts read-only partitions of the Active Directory database. An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
Active Directory Lightweight Directory Service (ADLDS) Formerly known as Windows Server 2003 Active Directory Application Mode (ADAM), ADLDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies required for Active Directory Domain Services (ADDS). ADLDS provides much of the same functionality as ADDS, but does not require the deployment of domains or domain controllers.
Active Directory Rights Management Service (ADRMS) Active Directory Rights Management Services (ADRMS), a format and application-agnostic technology, provides services to enable the creation of information-protection solutions. ADRMS includes several new features that were available in Active Directory Rights Management Services (ADRMS). Essentially, ADRMS adds the ability to secure objects. For example, an e-mail can be restricted to read-only, meaning it cannot be printed, copied (using Ctrl + C, and so on), or forwarded.
Active Directory Federation Services (ADFS) You can use Active Directory Federation Services (ADFS) to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, including both Windows and non-Windows environments. Essentially, this allows cross-forest authentication to external resources—such as another company's Active Directory. ADFS was originally introduced in Windows Server 2003 R2, but lacked much of its now-available functionality.
These roles can be managed with Server Manager and Server Core. Discussing Server Core is going to take considerably longer, so let's start with Server Manager.
Server Manager
Server Manager is likely to be a familiar tool to engineers who have worked with earlier versions of Windows. It is a single-screen solution that helps manage a Windows server, but is much more advanced than the previous version.
Using Server Manager to Implement Roles
Although we will be discussing Server Manager (Figure 1.1) as an Active Directory Management tool, it's actually much more than just that.
Figure 1.1. Server Manager
In fact, Server Manager is a single solution (technically, a Microsoft Management Console [MMC]) snap-in that is used as a single source for managing system identity (as well as other key system information), identifying problems with servers, displaying server status, enabled roles and features, and general options such as server updates and feedback.
Table 1.1 outlines some of the additional roles and features Server Manager can be used to control:
Table 1.1. Partial List of Additional Server Manager Features
Server Manager is enabled by default when a Windows 2008 server is installed (with the exception of Server Core). However, Server Manager can be shut off via the system Registry and can be re-opened at any time by selecting Start | Administrative Tools | Server Manager, or right-clicking Computer under the Start menu, and choosing Manage (Figure 1.2).
Figure 1.2. Opening Server Manager
So, those are the basics of Server Manager. Now let's take a look at how we use Server Manager to implement a role. Let's take the IIS role and talk about using the Add Role Wizard to install Internet Information Services (IIS).
Tools & Traps…
Using the Add Role Wizard
Notice in Figure 1.1 that the Server Manager window is broken into three different sections:
Provide Computer Information
Update This Server
Customize This Server
Under the Customize This Server section, click the Add Role icon. When the wizard opens, complete the following steps to install IIS onto the server.
Click the Add Roles icon.
At the Before You Begin window, read the information provided and then click Next.
From the list of server roles (Figure 1.3), click the check box next to Web Server (IIS) and then click Next.
Figure 1.3. List of Server Roles
If you are prompted to add additional required features, read and understand the features, and then click Add Required Features.
When you return to the Select Server Roles screen, click Next.
Read the information listed in the Introduction to Web Server (IIS) window and then click Next.
For purposes of this example, we will select all of the default Role Services and then click Next.
Review the Installation Summary Confirmation screen (Figure 1.4) and then click Install.
Figure 1.4. The Installation Summary Confirmation Screen
When installation is complete, click Close.
Notice that on the Server Manager screen, Web Server (IIS) is now listed as an installed role.
Configuring & Implementing…
Scripting vs. GUI
Sure, you can always use a wizard to implement a role, but you also have the option of using a script. Realistically speaking, it's generally not the most efficient way to deploy a role for a single server, however. Unless you are going to copy and paste the script, the chance of error is high in typing out the commands required. For example, take the following IIS script syntax:
start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures; IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors; IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility; IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes; IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-Request Monitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security; IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication; IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementConsole;IIS-ManagementScriptingTools;IIS-ManagementService;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;IIS-FTPPublishingService; IIS-FTPServer;IIS-FTPManagement;WAS-WindowsActivationService;WAS-ProcessModel; WAS-NetFxEnvironment;WAS-ConfigurationAPI
This script installs ALL of the IIS features, which may not be the preferred installation for your environment, and within the time it took to type it out, you may have already completed the GUI install!
Server Core
Server Core brings a new way not only to manage roles but also to deploy a Windows Server. With Server Core, we can say goodbye to unnecessary GUIs, applications, services, and many more commonly attacked features.
Using Server Core and Active Directory
For years, Microsoft engineers have been told that Windows would never stand up to Linux in terms of security simply because it was too darn heavy
(too much) code, loaded too many modules (services, startup applications, and so on), and was generally too GUI heavy. With Windows Server 2008, Microsoft engineers can stand tall, thanks to the introduction of Server Core.
What Is Server Core?
What is Server Core, you ask? It's the just the facts, ma'am
version of Windows 2008. Microsoft defines Server Core as a minimal server installation option for Windows Server 2008 that contains a subset of executable files, and five server roles.
Essentially, Server Core provides only the binaries needed to support the role and the base operating systems. By default, fewer processes are generally running.
Server Core is so drastically different from what we have come to know from Windows Server NT, Windows Server 2000, or even Windows Server 2003 over the past decade-plus, that it looks more like MS-DOS than anything else (Figure 1.5). With Server Core, you won't find Windows Explorer, Internet Explorer, a Start menu, or even a clock! Becoming familiar with Server Core will take some time. In fact, most administrators will likely need a cheat sheet for a while. To help with it all, you can find some very useful tools on Microsoft TechNet at http://technet2.microsoft.com/windowsserver2008/en/library/e7e522ac-b32f-42e1-b914-53ccc78d18161033.mspx?mfr=true. This provides command and syntax lists that can be used with Server Core. The good news is, for those of you who want the security and features of Server Core with the ease-of-use of a GUI, you have the ability to manage a Server Core installation using remote administration tools.
Figure 1.5. The Server Core Console
Before going any further, we should discuss exactly what will run on a Server Core installation. Server Core is capable of running the following server roles:
Note
Internet Information Server is Microsoft's brand of Web server software, utilizing Hypertext Transfer Protocol to deliver World Wide Web documents. It incorporates various functions for security, allows for CGI programs, and also provides for Gopher and FTP servers.
Active Directory Domain Services Role
Active Directory Lightweight Directory Services Role
Dynamic Host Configuration Protocol (DHCP)
Domain Name System (DNS) Services Role
File Services Role
Hyper-V (Virtualization) Role
Print Services Role
Streaming Media Services Role
Web Services (IIS) Role
Although these are the roles Server Core supports, it can also support additional features, such as:
Note
BitLocker Drive Encryption is an integral new security feature in Windows Server 2008 that protects servers at locations, such as branch offices, as well as mobile computers for all those roaming users out there. BitLocker provides offline data and operating system protection by ensuring that data stored on the computer is not revealed if the machine is tampered with when the installed operating system is offline.
Backup
BitLocker
Failover Clustering
Multipath I/O
Network Time Protocol (NTP)
Removable Storage Management
Simple Network Management Protocol (SNMP)
Subsystem for Unix-based applications
Telnet Client
Windows Internet Naming Service (WINS)
The concept behind the design Server Core is to truly provide a minimal server installation. The belief is that rather than installing all the application, components, services, and features by default, it is up to the implementer to determine what will be turned on or off.
Installation of Windows 2008 Server Core is fairly simple. During the installation process, you have the option of performing a Standard Installation or a Server Core installation. Once you have selected the hard drive configuration, license key activation, and End User License Agreement (EULA), you simply let the automatic installation continue to take place. When installation is done and the system has rebooted, you will be prompted with the traditional Windows challenge/response screen, and the Server Core console will appear.
Configuring & Implementing…
Configuring the Directory Services Role in Server Core
So let's put Server Core into action and use it to install Active Directory Domain Services. To install the Active Directory Domain Services Role, perform the following steps:
The first thing we need to do is set the IP information for the server. To do this, we first need to identify the network adapter. In the console window, type netsh interface ipv4 show interfaces and record the number shown under the Idx column.
Set the IP address, Subnet Mask, and Default Gateway for the server. To do this, type netsh interface ipv4 set address name=
source=static address=
Figure 1.6. Setting an IP Address in Server Core
Assign the IP address